c) You might be able to do both winsync and trusts at the same time then that
is simpler provisioning. ie a user gets created in AD and automatically gets
created in IPA ready for you to put in the user group you want.
I am not sure this is the best solution really.
Trust and sync do not help each other. The fact that you have trust does not
help you to provision users the way you describe.
8><------
They achieve different things. How otherwise do I get 2000+ AD users into
IPA? To me winsync allows automated provisioning of users into IPA via AD,
this greatly reduces manual effort.